Today's computer systems commonly employ operating systems that allow a process (software module) to run in either a user-mode or a kernel-mode. Generally speaking, an operating system will not allow the process to perform certain actions when in the user-mode; for example, prevent access to a particular block of memory or prevent an attempt to modify certain data. However, when the process is in the kernel-mode the operating system generally does not place any restrictions on the actions performed by the process; for instance, the process can access a block of memory, which in the user-mode would not be possible.
In view of the fact that a process operating in the kernel-mode generally does not have any restrictions placed on its actions, it is of paramount importance a process operating in the kernel-mode is closely scrutinised to ensure the integrity of the computer systems is not compromised. There are numerous software packages on the market that scrutinise processes in the kernel-mode by analysing their actions. However, these software packages have been designed to operate in the kernel-mode when analysing the actions. Unfortunately, this not only makes the software packages relatively complex, but also has the potential to give rise to significant compatibility problems with other security software, and in some cases, standard software applications.